Can iptables control what internal LAN clients can configure it?

beadyallen · 01-26-2010, 06:46 PM

Hi paddyjoesoap.
I've not used DD-WRT, but if you installed OpenWRT onto the router, vlan setup is very easy (I would guess that DD-WRT can be coaxed to do the same). You can easily configure as many as you want (one for each ethernet port on the WRT). The default setup is to make two, one for the internal LAN and one for WAN. The LAN vlan is the bridged with the wireless ethernet.

I commonly do exactly what you want, in that I specify one port as an 'admin' port when messing around with the firewall on such devices. It prevents you from getting locked out and having to reflash the device. e.g. I might have an internal network of 192.168.1.0/24 on ports 1,2 and 3, port 4 might be assigned an ip of 10.10.10.10 that I leave alone in any firewall configurations.

I would however point out that VLANS shouldn't really be used for security. Since the vlans are software based, it's potentially possible for an attacker to create specially crafted packets that will hop across the vlans (the vlan id is just an extra few bytes tagged onto a packet).

By all means set up the vlans, but you should bear in mind that your main security should be on the wireless. Using WPA2 and a good (20+ random characters) wireless password would mean it'd be easier for an attacker to break into the building to get physical access than try to hack the wireless.

Hope that helps.

zhjim · 01-27-2010, 02:24 AM

After looking at the diagram you should be able to set up some iptables rules on the vlan0 or directly on the br0 to firewall the inter LAN communication. Try the log rule I provided or something like this

Code:

iptables -I FORWARD -s br0 -j LOG --log-ip-options
iptables -I FORWARD -d br0 -j LOG --log-ip-options

I'll wait till the weekend and see how it goes.

paddyjoesoap · 02-01-2010, 02:59 AM

Hi zhjim,

I didn't get a chance to deploy those firewall rules at the weekend.

I didn't find any central repository for the firewall rules to modify. I posted to the dd-wrt forum and didn't receive a constructive response.

The issue, I have is that, if I add those rules via the Administration-Console tab in the Web GUI I have no way to remove them later (I don't know there rule index etc).

It appears that DD-WRT hard codes the default rules with its C-code.

This has all sorts of complications as it means it becomes highly likely that my own rules will unintentionally restrict or relax the default dd-wrt rule-set. I am talking here about rule conflicts due to the inappropriate rule order/indexing.

I'll need to dig a little deeper into this issue next weekend, but just sticking my own rules before the default dd-wrt rule-set (as suggested in the dd-wrt forum) is not a good thing to do: http://www.mnlab.cs.depaul.edu/pubs/noms06-mining.pdf

I'll keep you posted on any developments.

Cheers,
Paddy.

paddyjoesoap · 02-01-2010, 04:18 AM

Just came across Open-Wrt and it appears it allows you to add your own rules in a user defined script and also, but not recommended, the modification of the default rule-set.

http://wiki.openwrt.org/oldwiki/openwrtdocs/iptables

I may replace dd-wrt with open-wrt at the weekend and start playing around with this.

I'll post back as to the reconfigurability of open-wrt soon.

cheers,
Paddie.

zhjim · 02-01-2010, 05:48 AM

In my opinion we are at the step to see which chain the interlan packages take so we should be able to just insert our rule at the top and when done with following the way we would delete them.

Add rules

Code:

iptables -I FORWARD -i br0 -j LOG --log-ip-options

(Note the -I for Insertion. Without a number after the chain name it's put first in line)

Remove rules

Code:

iptables -D FORWARD 1

No sticky fingers no nothing

here two links from dd-wrt forum that at least prove to me that we are able to follow this thing like if it was on a normal linux system.

Enable syslog to get us the info
http://www.dd-wrt.com/wiki/index.php...ng_with_DD-WRT

Connect to router and log into shell
http://www.dd-wrt.com/wiki/index.php...e_Command_Line

The link you provided for openwrt seems to be easy to adopt ones own firewalls. And it's clearly explained. Go ahead

Cheers Zhjim

paddyjoesoap · 02-10-2010, 09:34 AM

laptop = 192.168.2.145 and is connected to the DD-WRT by WiFi
printer = 192.168.2.108 and is connected to the DD-WRT by LAN-PORT

Code:

iptables -I FORWARD -i br0 -j LOG --log-ip-options

Will only capture packets that leave the WAN interface for the internet.
for example

Code:

Feb 10 15:17:29 tier2router user.warn kernel: IN=br0 OUT=vlan1 SRC=192.168.2.145 DST=87.248.210.254 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=59937 DF PROTO=TCP SPT=45324 DPT=80 WINDOW=226 RES=0x00 ACK URGP=0 
Feb 10 15:17:29 tier2router user.warn kernel: IN=br0 OUT=vlan1 SRC=192.168.2.145 DST=87.248.210.254 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=30735 DF PROTO=TCP SPT=45326 DPT=80 WINDOW=192 RES=0x00 ACK URGP=0

Tried the following. It records traffic in the opposite direction.

Code:

iptables -I FORWARD -i vlan1 -j LOG --log-ip-options

Code:

Feb 10 15:19:42 tier2router user.warn kernel: IN=vlan1 OUT=br0 SRC=87.248.210.254 DST=192.168.2.145 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=53033 DF PROTO=TCP SPT=80 DPT=45521 WINDOW=12466 RES=0x00 ACK URGP=0

If I try and ping my printer, no logging occurs.

Tried also

Code:

iptables -I FORWARD -i vlan0 -j LOG --log-ip-options

Does not capture any logs from the Internet or from pinging the printer.

Code:

iptables -I FORWARD -i vlano -j LOG --log-ip-options

zhjim · 02-22-2010, 10:11 AM

Sorry for the late reply but I had been ill the last two weeks

Anyway. I'd go without any -i or -o options just plain

Code:

iptables -I FORWARD -j LOG --log-prefix "forward: " --log-ip-options

Maybe extend this even further

Code:

iptables -I FORWARd -j LOG --log-prefix "forward: " --log-ip-options
iptables -I INPUT -j LOG --log-prefix "input: " --log-ip-options
iptables -t nat -I FORWARD -j LOG --log-prefix "nat in: " --log-ip-options

I once wrote a bit of a script to setup logging for each Chain inside each table.

Code:

#!/bin/bash
SSH=22
#SOURCE
BROAD=$(ip addr show dev eth0 | grep "inet " | awk '{print $4}')


function tables(){
OPTION=$1
        for i in $(cat /proc/net/ip_tables_names); do
                for x in $(iptables -L -v -t $i | grep 'Chain' | awk '{print $2}'); do
                        echo iptables -t $i -$OPTION $x -p icmp -j LOG --log-prefix="$i $x "
                done
        done
}

function start(){
        echo "setting up path"
        tables I
}
function stop(){
        echo "Deleting path"
        tables D
}

case "$1" in
        start)
                start
                ;;
        stop)
                stop
                ;;
        *)
                echo "Usage $0 start | stop"
esac

It contains some minor faults to mislead the light ones